evntwin, or the Windows Event to SNMP trap translator is a very powerful build-in utility contained within all Windows operating systems which allows you to take any Windows Event and generate a SNMP trap from it. This is especially useful for tying into WhatsUp Gold’s passive monitor system.

The problem

Have you ever had an issue working with the WinEvent passive monitor? You are not alone. Since the WinEvent passive monitors are using WMI to get their information, there can be a lot of outside variables to take into account. Are you using the proper credentials? Are your forward and reverse DNS entries correct? Is WMI properly allowed through the firewall on both ends? In a sense, depsite being called a passive monitor the WinEvent listener in WhatsUp Gold is not “passive”.

The way it works is it registers for events. i.e. you want to collect all Event ID 1234. You create a WinEvent passive monitor, you apply it to a device. Then WhatsUp Gold tells the device “If you receive Event ID 1234, tell me and give me the output”.  However WhatsUp Gold is checking to ensure the connection for this registration is there every 60 seconds by default regardless of whether or not the connection has been broken. Since the WinEvent listener is dependent upon this connection existing it is possible to miss up to 60 seconds of events whenever the connection is broken. For example, a reboot of the device or a restart of the WhatsUp Gold services.

The solution

To me Windows Event Passive monitor implementation discussed above never made sense. This is where evntwin comes to the rescue. Evntwin is a great alternative and it is very easy to configure and use. As mentioned above, the full name is the ‘Event to Trap translator’. And yes, this is built into all Windows operating systems. You do not need to download or install anything. Using the Event to Trap translator is simple and is much more reliable than depending on the WMI connection. The SNMP trap will always be sent, even when the server is first booting. This is a true passive monitor because WhatsUp Gold will literally be just listening for the that SNMP trap to come in.

Evntwin Step-by-Step Configuration

First, you’ll need to launch evntwin. Navigate to Start > Run (in 2012 and up, right-click start and select ‘Run’) And then simply run: evntwin as you see below.

winevnt1
Start > Run > evntwin

This will launch the Event to Trap Translator. Now we want to tell it which Windows events we’d like to generate SNMP traps for. Select ‘Custom’ and then click ‘Edit’

winevnt2
Select ‘Custom’ and then click ‘Edit>>’

You’ll notice ‘Event sources’ lists quite literally every Windows event the system is capable of generating. Find your specific event you care about, select one (or multiple) and left-click ‘Add’

winevnt3
Find the Event IDs you want to know about, select them (ctrl+left-click works to do multiple as well) and click ‘Add’

Now simply hit ‘Apply’ and ‘OK’.

winevnt4
Click ‘Apply’ then ‘OK’

Restart the Windows ‘SNMP Service’ and you are all set. From here on out, your desired Windows Events will also generated SNMP traps. When those events come in, the system will send a SNMP trap to whatever is configured in the ‘Traps’ tab of the SNMP service on that server.

You can also export the event lists and save as a file. Then you can use that file to apply the configuration to other systems using ‘evntcmd’. This operation can be scripted to run against many systems.

winevnt10
Select the events in the top section under ‘Events to be translated to traps:’, click Export, and save the config file.

Once you Exported and saved your .cnf file, just run the following from command line. The command will configure evntwin with the same events you setup manually in the previous steps and also restart SNMP:

eventcmd -s Hostname C:\path\to\file\events.cnf -n
winevnt11
Use evntcmd -s hostname C:\events.cnf (or wherever you saved your file) to setup this configuration elsewhere. It will also restart SNMP unless you specify the -n parameter

WhatsUp Gold Configuration

Now you configure WUG to listen for those events. I will update this soon with more detailed information…

winevnt13
Example configuration for SNMP Trap Passive Monitor
winevnt14
Example 2

And apply it to the device. Note: In this example, I am listening for that event ID and matching a certain description. These examples are looking for logon/logoff security events. Here is a list of logon types. Its important to consider formatting of the event description when adding a ‘match on’. Logon Type: 10 must be formatted with many spaces…copy and paste works best, for reference: Logon Type:                                       10